Ubuntu通过samba winbind集成AD账号

2021-07-14 09:14

阅读:592

标签:sam   mes   ado   glob   use   table   ide   gre   share   

Ubuntu通过samba winbind集成AD账号:

安装软件:

apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

输入ming.com

vi /etc/nsswitch.conf

passwd: compat winbind
group: compat winbind
shadow: compat winbind

:wq

vi /etc/krb5.conf ([realms]下面其它的都可删掉)

[libdefaults]
default_realm = MING.COM (此处必须为大写)

[realms]
spreadtrum.com = {
kdc = 10.0.0.2:88
kdc = 10.0.0.3:88
default_domain = ming.com
}

:wq

kinit zhi.ming (能加域的普通AD账号即可)

输入账号密码

klist

vi /etc/samba/smb.conf

[global]

  workgroup = ming
  realm = ming.com
  netbios name = aa
  security = ADS
  dns forwarder = 10.0.0.1
  idmap config *:backend = tdb
  idmap config *:range = 50000-1000000

  template homedir = /home/%D/%U
  template shell = /bin/bash
  winbind use default domain = true
  winbind offline  logon = true
  winbind nss info  = rfc2307
  winbind enum users = yes
  winbind enum groups = yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

:wq

vi /etc/pam.d/common-account (自动创建家目录)

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
:wq

vi /etc/pam.d/common-password

password [success=1 default=ignore] pam_winbind.so try_first_pass (将默认的use_authtok去掉)

:wq

service smbd restart

service nmbd restart

net ads join -U zhi.ming (能加域的普通AD账号即可)

输入AD账号密码

注:
/etc/hosts里的主机名及域名要和加的AD域一致(不一致会加不进去)

service winbind restart

wbinfo -u (查看AD里的账号信息)

wbinfo -g (查看AD里的group信息)

getent passwd | grep zhi.ming

id zhi.ming

su - zhi.ming

远程ssh:

ssh zhi.ming@10.0.0.4

给sudo权限:

给个人:

vi /etc/sudoers

zhi.ming ALL=(ALL:ALL) NOPASSWD:ALL

:wq

给group(未成):

%MING\domain\ users ALL=(ALL:ALL) NOPASSWD:ALL

支持图形化登陆:

vi /usr/share/lightdm/lightdm.conf/50-ubuntu.conf

greeter-show-manual-login=true
greeter-hide-users=true

:wq

登陆时为ming\zhi.ming (即前要加域名)

注:

1、账号的uid和gid根据访问的先后顺利从50000开始排序(/etc/samba/smb.conf定义的),无法在AD里自定义
2、所有账号均可登录,无法通过/etc/passwd进行限制

通过AD域账号访问samba共享:

共享homes:

vi /etc/samba/smb.conf

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S

 :wq

 # service smbd restart

 访问:\\ip\zhi.ming    (此时不需要输用户名密码直接就可以访问自己家目录,访问不了别人的)

 共享特定目录:

 # vi /etc/samba/smb.conf

 [share]
comment = share
path = /space/share
browseable = yes
writable = yes
valid users = MING\zhi.ming
    :wq

    访问:\\ip\share     (此时不需要输用户名密码直接就可以访问)

Ubuntu通过samba winbind集成AD账号

标签:sam   mes   ado   glob   use   table   ide   gre   share   

原文地址:http://blog.51cto.com/yangzhiming/2164955


评论


亲,登录后才可以留言!